Since users are no longer using Wordpress as simply a blogging solution, there isn't as much emphasis on user management for the owners of the Wordpress site. And this may also be a contributing factor to the problem. Wordpress Site Administrators should regularly cycle their passwords and review their user lists to make sure that no one has been added that isn't supposed to be on the list. Especially users added as Administrator-level users. There are also Wordpress sites that do not require that people register to post comments or other actions on the website. To prevent unauthorized access we recommend the following:
- Block access to the WP-LOGIN.PHP using the HTACCESS file by requiring an additional password
- Block access to the WP-LOGIN.PHP using the HTACCESS file by allowing only specific IP address or range of IP addresses
- Find a plugin that prevents access to the login screen after a particular number of tries. The plugin should then use an interval of inaccessibility before the next attempt to login would be allowed.
The first two methods using .htaccess are recommended as they will help to prevent excessive resource usage. There is no guarantee of this with the plug-in, unless the plugin can limit access no matter how many times login attempts are being made. The following information are examples of the code solutions for the .htaccess file as listed above
